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In quantum cryptography, the level ol security attainable by a protocol which im- 
plements a particular task N times bears no simple relation to the level ol security 
attainable by a protocol implementing the task once. Useful partial security, and 
even near-perfect security in an appropriate sense, can be obtained for N copies of 
a task which itself cannot be securely implemented. We illustrate this with proto- 
cols for quantum bit string commitment and quantum random number generation 
between mistrustful parties. 



1 Introduction 

It is now well known that quantum information can guarantee classically 
unattainable security in a variety of important cryptographic tasks. We know 
too from no-go results that quantum cryptography cannot guarantee perfect 
security for every task. We cannot presently characterise precisely the tasks 
for which perfectly secure quantum protocols exist, or even the range of cryp- 
tographic tasks for which perfectly secure quantum protocols might possibly 
exist, because quantum cryptography involves more than devising quantum 
protocols for tasks known to be useful in classical cryptography. The prop- 
erties of quantum information allow new and cryptographically useful tasks, 
which have no classical counterpart. Also, reductions and relations between 
classical cryptographic tasks need not necessarily apply to their quantum 
equivalents. This means that there is a wider range of tasks to consider, 
and that no-go theorems may not necessarily be quite as powerful as classical 
reasoning would suggest. 

These remarks apply in particular to bit commitment and coin tossing, 
important cryptographic protocols whose potential for physically secure im- 
plementation has been extensively investigated. It is known that uncondi- 
tionally secuxe n quantum bit commitment is impossible for non-relativistic 
protocolsEJ'&Hoa: that is, protocols in which the two parties are restricted 
to single pointlike sites, or more generally, in which the signalling constraints 
of special relativity are ignored. No unconditionally secure non-relativistic 
coin tossing protocol has been found; no proof that no such protocols exist 
has yet been published either. 

Unconditionally secure bit commitment is conjectured to be possible be- 
tween parties controlling appropriately separated pairs of sites, when the im- 
possibility of super luminal signalling is taken into account .Bill Unconditionally 
secure coin tossing is simple to implement under these conditions. However, 
we restrict attention to non-relativistic protocols in the rest of this paper, 



1 



taking this as understood rather than inserting "non-relativistic" throughout. 

Some variants of bit commitment, for which non-relatiiristic protocols are 
not known to be impossible, have previously been studied.crEl We consider here 
a different generalisation, bit string commitment, in which one party commits 
many bits to another in a single protocol. Two non-relativistic bit string 
commitment protocols, which offer classically unattainable levels of security 
against cheating, are described. 

2 Bit string commitment 

Consider the following classical cryptographic problem. Two mistrustful par- 
ties, A and B, need a protocol which will (i) allow A to commit a string 
ai <22 . . . a n of bits to B, and then, (ii) at any later time of her choice, reveal 
the committed bits. The protocol should prevent A from cheating, in the 
sense that she should have little or no chance of unveiling bits a! i different 
from the a, without B being able to detect the attempted detection. In other 
words, A should be genuinely committed after the first stage. The protocol 
should also prevent B from being able to completely determine the bit string. 
More precisely, it must guarantee that, before revelation, B has little or no 
chance of obtaining more than m bits of information about the committed 
string, for some fixed integer to < n. 

This (to, n) bit string commitment problem is a generalisation of the stan- 
dard bit commitment problem, in which n = 1 and to = 0. Clearly, a protocol 
for bit commitment would solve this generalised problem, since the protocol 
could be repeated n times to commit each of the a,-, and B would be able to 
obtain no information about the committed string. Conversely, classical rea- 
soning implies that a protocol for the generalised problem, for any integers to 
and n with to < n, could be used as a protocol for standard bit commitment. 
For A and B can use any coding of a single bit a by the n bit string such that 
none of the to bits available to B give information about a, and then use the 
protocol to commit A to a. 

Classically, then, (to, n) bit string commitment is essentially equivalent to 
bit commitment. However, there is no obvious equivalence between quantum 
(m,n) bit string commitment and quantum bit commitment. The impossibil- 
ity of unconditionally secure quantum bit commitment does not necessarily 
imply that, with an analogous definition of security, unconditionally secure 
quantum bit string commitment is impossible. In fact, the next sections show 
it can be achieved. 

3 Protocol 1 

Define qubit states ipo = |0) and ip\ = sin#|0) +cos#|l), where sin 2 6 = 8. We 
take 9 > and r = n — to to be security parameters for the protocol. 
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Commitment: To commit a string a\ . . . a n of bits to B, A sends 
the qubits ip ai , . . . , ip an , sequentially. 

Unveiling: To unveil, A simply declares the values of the string bits, 
and hence the qubits sent. Assuming that B has not disturbed the qubits, he 
can test the bit values a[ claimed by A at unveiling by measuring the projec- 
tion onto ip a \ on qubit i, for each i. If he obtains eigenvalue 1 in each case, 
he accepts the unveiling as an honest revelation of a genuine commitment. 
If he obtains eigenvalue in any case, he concludes (assuming that noise is 
negligible) that A has cheated. 

Security against A: Whatever strategy A follows, once she trans- 
mits the qubits to B, their respective density matrices pi are fixed. Let 
pi = {ipj \pi\tpj) be the probability of B accepting a revelation of j for the z-th 
bit. We have 

p? + p\ < cos 2 ((^/4) - (9/2)) + sin((7r/4) + (9/2)) , (1) 

which is < 1 + 6 for small 9. This is the standard definition of security against 
A for an individual bit commitment, with security parameter 9. In other 
words, A's scope for cheating on any bit of the string is limited to slightly 
increasing the probability of revealing a or 1, by an amount < 9, which can 
be made arbitrarily small by choosing the security parameters appropriately. 

Security against B: We assume that, prior to the commitment, B 
has no information about the bit string and regards every possible value as 
equiprobable. From B's perspective, then, he has to obtain information about 
a density matrix of the form 

p=(l/2 n ) £ fe-O^-KI. ( 2 ) 

a\ . ..a n 

Holevo's theorem0 tells us that the accessible information available to B by 
any measurement on p is bounded by the entropy 

S(p) = (((1 + sin0)/2) log 2 ((l + sin0)/2)+ 
((l-sin(?)/2)log 2 ((l-sin0)/2))". (3) 

Now, for any fixed 9 > 0, we have S(p) < n. For any fixed r, by taking n 
sufficiently large, we can ensure n — S(p) > r. In other words we can ensure 
that, however B proceeds, an average of at least r bits of information about 
the string will remain inaccessible to him. By choosing n suitably large, we 
can also ensure that the probability of his obtaining more than n — r bits of 
information about the string is smaller than e, for any given e > 0. 

A_morc efficient version of this protocol can be devised using qutrit 
statcsEH — an observation I owe to Rob Spekkens. 
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4 Protocol 2 



Protocol 1 ensures bit-wise security against A, but uses a rather inefficient 
bit string coding which allows B to obtain almost all of the bit string before 
revelation. For large n, more efficient codings allow the security against B to 
be greatly enhanced, though with a weakened notion of security against A. 

We again take 9 > to be a security parameter and write e = sin9. 
Now, for any 9 > and large n, explicit constructions are known for sets 
v\, .. . ,Vf(n) of vectors in H n such that | ( Vi \ Vj ) \ < sin 9 for all i ^ j, with 
the property that f(n) — 0(exp(Cn)), where C is a positive constant that 
depends on (The use of these constructions for efficient quantum coil- 

ing of classical information has previously been noted by Buhrman et al.Efl, 
who describe efficient quantum fingerprinting schemes which reduce commu- 
nication complexity in the simultaneous message passing model.) A string 
of 0(Cn) bits can thus be encoded by vectors in iJ™, such that the overlap 
between the code vectors for two distinct strings is always less than sm9, 
suggesting the following bit string commitment protocol. 

Commitment: Let N be the number of bits that can be encoded 
in H n by the above construction. To commit a string a\ . . . of bits to B, 
A sends the state v ai ... aN , treating the index as a binary number. 

Unveiling: To unveil, A simply declares the values of the string bits, 
and hence the state sent. Assuming that B has not disturbed the qubits, he 
can test A's claim at unveiling by measuring the projection onto v ai ___ aN . if 
he obtains eigenvalue 1, he accepts the unveiling as an honest revelation of 
a genuine commitment. If he obtains eigenvalue 0, he concludes that A has 
cheated. 

Security against A: As before, once A transmits a quantum state 
to B, its density matrix p is fixed. Consider some set i\,...,i r of bit strings 
which A might wish to maintain the option of revealing after commitment. 
Let Pi be the projection onto v i: let pi = Ti(pPi) be the probability of A 
successfully revealing string i, and write 

Q = P il +... + P ir . (4) 

It is not too hard to verify that 

Tr(pQ) < 1 + (r - l)e (5) 

In other words, 

Pll +...+p lr <l + f(e,r), (6) 

where, for any fixed r, f can be made as small as desired by choosing 9 suitably 
small. 

So, given that A is determined to reveal a bit string from some finite 
set of size r, her scope for cheating is limited to increasing the probability of 
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revealing any given element of the set by a fixed amount. For any fixed r, that 
amount can be made arbitrarily small by choosing the security parameters 
appropriately. If _B's concern is to prevent cheating of this type, for some 
predetermined r, the protocol can guarantee him security. 

Security against B: Holevo's theorem implies that the information 
about the N « Cn bit string accessible to B is at most log n bits. 

5 Asymptotically secure coin tossing 

Consider the following non-relativistic protocol for generating a string of N 
random bits between mistrustful parties. We assume that N is large, and take 
M also to be large, with logM <C N. A prepares M batches of N Bell singlet 
states, and sends one particle from each of the MN singlets to B. B chooses 
(M — 1) of the batches, and asks A to send the second particle from each of 
the (M — 1)N singlets in these batches. B tests that these (M — 1)N pairs 
of particles are indeed singlets. If not, he concludes that A is cheating, and 
the protocol ends. If so, he accepts that A is honest. A and B then use the 
last batch of singlets to generate N random bits, by carrying out correlated 
measurements (say of a z ) and converting the results to a bit string using a 
previously agreed protocol. 

Security against A: A can only cheat by preparing non-singlct 
states which bias the outcomes towards those she would prefer. Her scope for 
cheating is limited by the cut-and-choose step of the protocol, which ensures 
that, if any batch has low fidelity to N singlet states, her cheating will almost 
surely be detected. 

Security against B: B can cheat by carrying out measurements on 
every particle from every batch sent to him, deciding which batch gives the 
bit string most favourable for his purposes, and choosing the other (M — 1) for 
the test. However, this will allow him to fix only w logM bits of information 
about the N bit string. With suitable M, N this is an insignificant fraction. 
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